North Korean Hackers Target Crypto Devs in npm Supply Chain Attack

Security researchers at Socket uncovered a sophisticated operation where North Korean hackers uploaded more than 300 malicious code packages to the npm registry, the central repository used by millions of developers worldwide. These packages were carefully designed to appear harmless, using misspelled versions of popular libraries like express, dotenv, and hardhat to trick developers into downloading them. The campaign, dubbed ‘Contagious Interview’ by researchers, specifically targeted developers working in blockchain, Web3, and cryptocurrency sectors through fake tech recruiter personas.

The malicious packages employed advanced evasion techniques, including encrypted ‘loader’ scripts that decrypted and executed hidden payloads directly in memory, leaving minimal forensic traces on disk. This sophisticated approach allowed the malware to steal passwords, browser data, and critically, cryptocurrency wallet keys without triggering traditional security alerts. According to Socket’s findings, approximately 50,000 downloads of these malicious packages occurred before many were removed from the registry, though some remain active, continuing to pose a threat to unsuspecting developers.

The technical evidence gathered by Socket researchers points directly to North Korean state-sponsored actors, with code patterns matching previously identified malware families known as BeaverTail and InvisibleFerret. This attribution aligns with reports from other security groups and government agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has documented similar tactics in previous DPRK cyber-espionage campaigns. The hackers used fake LinkedIn recruiter accounts to establish credibility and lure their targets, a social engineering approach consistent with Pyongyang’s documented cyber operations.

North Korea’s focus on cryptocurrency theft has become increasingly sophisticated, with previous incidents reportedly netting the regime billions of dollars. The Contagious Interview campaign represents an evolution in this strategy, targeting the developers themselves rather than end-users or exchanges. By compromising the machines of developers working on blockchain and Web3 projects, the hackers gain access to credentials and digital wallets that could contain significant cryptocurrency holdings, while also establishing footholds in development environments that could lead to further compromises down the line.

The npm registry serves as the backbone of modern web development, with millions of developers relying on it for essential JavaScript packages. This widespread dependency creates a massive attack surface that state actors like North Korea are increasingly exploiting. Security experts have warned for years that software supply-chain attacks represent one of the most dangerous threats in cyberspace because they spread invisibly through legitimate updates and dependencies, potentially affecting countless downstream applications.

GitHub, which owns npm, has stated it removes malicious packages when discovered and is working to improve account-verification requirements. However, researchers describe the current situation as a game of ‘whack-a-mole’—as soon as one set of malicious packages is taken down, hundreds more appear to take their place. This pattern highlights the fundamental tension in open-source ecosystems: the very openness that makes them powerful and innovative also makes them vulnerable to weaponization by sophisticated adversaries.

For cryptocurrency startups and Web3 development teams, the Contagious Interview campaign serves as a stark warning about the vulnerabilities inherent in their development workflows. Security researchers now urge development teams to treat every ‘npm install’ command as potential code execution, implement rigorous dependency scanning before merging code into projects, and utilize automated vetting tools to detect tampered packages. As state actors continue to refine their approaches, the security of the entire software supply chain becomes not just a technical concern, but a fundamental requirement for the safety of digital assets and the integrity of the cryptocurrency ecosystem.